CN104468860B - The recognition methods of domain name resolution server danger and device - Google Patents

The recognition methods of domain name resolution server danger and device Download PDF

Info

Publication number
CN104468860B
CN104468860B CN201410735253.3A CN201410735253A CN104468860B CN 104468860 B CN104468860 B CN 104468860B CN 201410735253 A CN201410735253 A CN 201410735253A CN 104468860 B CN104468860 B CN 104468860B
Authority
CN
China
Prior art keywords
address
dns
parsing
local dns
domain name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410735253.3A
Other languages
Chinese (zh)
Other versions
CN104468860A (en
Inventor
郑玉虎
胡宇
刘浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
360 Digital Security Technology Group Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201410735253.3A priority Critical patent/CN104468860B/en
Publication of CN104468860A publication Critical patent/CN104468860A/en
Application granted granted Critical
Publication of CN104468860B publication Critical patent/CN104468860B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Recognition methods and device the present invention provides a kind of domain name resolution server danger.The recognition methods of wherein domain name resolution server danger includes:Obtain the analysis result that local dns to be identified are obtained to presetting domain name mapping;Determine whether the dns resolution request of the mandate DNS receptions of default domain name is directly transmitted by local dns according to analysis result, wherein analysis result includes the request source address information by the dns resolution of DNS additions is authorized to ask;If it is not, determining local dns, there are malice risks.Use this method, judging whether the dns resolution that DNS is authorized to receive request is directly transmitted by local dns can show whether the dns resolution parses by other dns resolution server generations for forwarding, and the DNS is further determined that with the presence or absence of malice risk, identification process is simply easily achieved.

Description

The recognition methods of domain name resolution server danger and device
Technical field
The present invention relates to internet security field, more particularly to a kind of recognition methods of domain name resolution server danger And device.
Background technology
Domain name system (Domain Name System, abbreviation DNS) is a kernel service of internet (Internet), There is extremely important status, as the distributed data base that can mutually map domain name and IP address, can make People more easily accesses internet, and without spending, remember can be by IP number strings that machine is directly read.
The characteristics of based on DNS, hacker can establish some malice DNS, and domain name mapping is intercepted in the network range of abduction Request, the domain name of analysis request, the dns resolution request into some preset ranges, which returns to tampered result or do not return, appoints What address obtains the webpage of mistake or can not open webpage, to use when being and access specific network address to effect caused by user The information security at family causes great threat.
Detect whether a DNS (assuming that IP address is A) is black DNS in the prior art, main basis for estimation is that detection should DNS whether there is Domain Hijacking behavior.This needs onto the DNS to inquire one group of domain name, then query result and in advance Phase analysis result is compared, and judges whether there is abduction suspicion.If detecting the DNS that the address is A has kidnapped domain name D, that The parsing information that the DNS that the address is A is directed to domain name D is detected, the analysis result of return can be with the correct analysis result of domain name D Difference, therefore it may only be necessary to the result of the return information legal with the domain name is compared, if there is inconsistent situation, Can think the address be A DNS there may be kidnap domain name D situation.
The premise of the black DNS identification technologies of the use more than prior art is:Need to predict the items of detected domain name in advance Information, than if any which legal A record (given host name or domain name corresponding IP address record) or CNAME (canonical name) Deng.But those are used with the large-scale net of CDN (Content Delivery Network, content distributing network) acceleration It stands, the legal parsing information returned for a domain name often has variation, therefore existing DNS recognition methods often will appear The problem of wrong report, accuracy is poor, and exploitativeness is not strong.
Invention content
In view of the above problems, it is proposed that the present invention overcomes the above problem in order to provide one kind or solves at least partly State recognition methods and the device of the domain name resolution server danger of problem.
The present invention one is further objective is that the recognition accuracy of malice DNS will be improved.
The present invention another further objective is that improve the exploitativeness of identification malice DNS, the product without big quantity It is tired.
One side according to the present invention provides a kind of recognition methods of domain name resolution server danger.The domain name The recognition methods of resolution server danger includes:Obtain home domain name resolution server to be identified (Local DNS, below Abbreviation local dns) to presetting the obtained analysis result of domain name mapping;The authoritative domain name for determining default domain name according to analysis result takes Whether the dns resolution request that business device (Authoritative DNS, hereinafter referred to as authorize DNS) receives directly is sent out by local dns It send, wherein analysis result includes the request source address information by the dns resolution of DNS additions is authorized to ask;If it is not, it determines local There are malice risks by DNS.
Optionally, DNS is authorized to be configured to the parsing address using the request source address that dns resolution is asked as default domain name; According to analysis result determine dns resolution that the mandates DNS of default domain name is received ask whether by local dns directly transmit including: Obtain the address of local dns;Address and parsing address to local dns match;If the address of local dns and parsing address Matching determines that dns resolution request is directly transmitted by local dns.
Optionally, matching is carried out to the address of local dns and parsing address to include:Compare address and the parsing of local dns Whether address is identical;If identical, the address of local dns and parsing address matching are determined.
Optionally, matching is carried out to the address of local dns and parsing address to include:Compare the ownership of the address of local dns Whether the attaching information of information and parsing address is identical, and attaching information includes the attributed region and/or home-operator of address;If It is identical, determine the address of local dns and parsing address matching.
Optionally, if the address of local dns and parsing address mismatch, method further includes:Identification parsing address whether be The address of public DNS;If so, promote the risk class of local dns.
Optionally, if the address of local dns and parsing address mismatch, method further includes:Obtain the existence of analysis result Time value;Judge the lifetime value of analysis result whether no more than the mandate preset life spans of DNS;If it is not, it is promoted local The risk class of DNS.
Optionally, if the address of local dns and parsing address mismatch, method further includes:Record multiple local dns respectively Parsing address, generation parsing address list;The number of address appearance is each parsed in statistics parsing address list, and according to secondary Number is ranked up from high to low;It is promoted using the risk class of the corresponding local dns in parsing address for sorting forward.
According to another aspect of the present invention, a kind of identification device of domain name resolution server danger is additionally provided.It should The identification device of domain name resolution server danger includes:Acquisition module is configured to obtain local dns to be identified to presetting domain The analysis result that name parsing obtains;Judgment module is configured to determine what the mandate DNS of default domain name was received according to analysis result Whether dns resolution request is directly transmitted by local dns, if it is not, local dns are determined there are malice risk, wherein in analysis result Including the request source address information by the dns resolution of DNS additions is authorized to ask.
Optionally, judgment module includes:Address judging submodule, is configured to:Obtain the address of local dns;To local dns Address and analysis result in parsing address matched, if the address of local dns and parsing address matching, determine DNS solve Analysis request is directly transmitted by local dns, and the mandates DNS of default domain name is configured to address using source is asked as the solution for presetting domain name Analyse address.
Optionally, address judging submodule is additionally configured to:Whether address and the parsing address for comparing local dns are identical;If It is identical, determine the address of local dns and parsing address matching.
Optionally, address judging submodule is additionally configured to:Compare the attaching information of the address of local dns and compare analytically Whether the attaching information of location is identical, and attaching information includes the attributed region and/or home-operator of address;If identical, this is determined The address of ground DNS and parsing address matching.
Optionally, judgment module further includes:Address Recognition submodule, is configured to:Whether identification parsing address is public DNS Address;If so, promote the risk class of local dns.
Optionally, judgment module further includes:Life span judging submodule, is configured to:When obtaining the existence of analysis result Between be worth;Judge whether the lifetime value of analysis result consistent no more than the preset life spans of DNS are authorized;If it is not, it carries Rise the risk class of local dns.
Optionally, the identification device of above-mentioned domain name resolution server danger further includes:Statistical module is configured to:Record The parsing address of multiple local dns, generation parsing address list;Address appearance is each parsed in statistics parsing result address list Number, and be ranked up from high to low according to number;It is promoted using the wind of the corresponding local dns in parsing address for sorting forward Dangerous grade.
The recognition methods of the domain name resolution server danger of the present invention, using local dns to be identified to default domain name Dns resolution request is initiated, the analysis result that the mandate DNS of the default domain name is returned can reflect the request for sending the analysis request Source address, since malice DNS can generally ask the dns resolution not in the range of it is distorted to be transmitted to other dns resolution services Device is on behalf of parsing, therefore whether the request of the dns resolution by judging DNS is authorized to receive is directly transmitted and can be obtained by local dns Go out whether the dns resolution parses by other dns resolution server generations for forwarding, and further determine that the DNS whether there is and dislike Meaning risk.
Further, the mandate DNS for presetting domain name is configurable to using the request source address that dns resolution is asked as default The parsing address of domain name, so as to after analysis result of the default domain name is obtained, directly judge obtained parsing address whether with The address matching of local dns, it is possible to determine whether local dns complete entire resolving, so as to which obtain local dns is The recognition result of no malice.
Further, the recognition methods of domain name resolution server danger of the invention, is only used for by setting up one The test domain name of the request source address of dns resolution request is detected, obtains the basis for estimation of DNS, is used without accumulating a large amount of data In analysis, identification process is simply easily achieved.
Above description is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, below the special specific embodiment for lifting the present invention.
According to the accompanying drawings to the detailed description of the specific embodiment of the invention, those skilled in the art will be brighter The above and other objects, advantages and features of the present invention.
Description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this field Technical staff will become clear.Attached drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 is the first use of the identification device of domain name resolution server danger according to an embodiment of the invention The Organization Chart of environment;
Fig. 2 is second of use of the identification device of domain name resolution server danger according to an embodiment of the invention The Organization Chart of environment;
Fig. 3 is the schematic diagram of the identification device of domain name resolution server danger according to an embodiment of the invention;
Fig. 4 is the schematic diagram of the identification device of domain name resolution server danger in accordance with another embodiment of the present invention; And
Fig. 5 is the schematic diagram of the recognition methods of domain name resolution server danger according to an embodiment of the invention.
Specific embodiment
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.
Fig. 1 is the first use of the identification device of domain name resolution server danger according to an embodiment of the invention The Organization Chart of environment, DNS frameworks are a level trees, this tree is known as the DNS domain name space, uppermost domain The name space is referred to as " root node ".Path from top level domain to some subdomain just constitutes a domain name, such as from top level domain .com its second-level domain Microsoft is arrived, then a domain name is just constituted to the subdomain departmentA of Microsoft departmentA.microsoft.com.Fig. 1 with access some websites address www.abc.com (below using abc.com as Example introduce) resolving for briefly introduced.Its flow is:
Step 1, the local dns server that user computer is set in its system sends the request of parsing www.abc.com. So-called local dns server refers to a DNS service IP address, can be being obtained automatically from operator or manual Or set by other approach.
Step 2, local dns server can check whether the caching (subsequent implementation of this domain name in the space of oneself The influence of caching is not considered in example), if not provided, the domain name mapping that www.abc.com will be sent to root server is asked.
Step 3, after root server receives local dns server about the analysis request of domain name, the domain name of analysis request, Return to the IP address of the server of local server .com this domain name node.
Step 4:Local dns server is sent out after the server ip address of .com top level domain is connected to .com top level domain Inquire the analysis request of www.abc.com.
Step 5, the top domain servers of .com return to local after receiving about the analysis request of www.abc.com IP address of the dns server about the dns server of this second-level domain of abc.
Step 6, local dns server continues to initiate about www.abc.com to the dns server of this second-level domain of abc Analysis request.
Step 7, all subdomain names under the management server management abc.com in this domain of abc.The management server can To be referred to as to authorize DNS.There is this subdomain name of www in the name space of mandate DNS, and preserve its corresponding parsing letter Breath, therefore the dns server in abc.com domains can return to the corresponding analysis results of www.abc.com to local dns server.
Step 8, local dns server receives abc.com this domain server about www.abc.com analysis results Afterwards, user is returned to.
Step 9, user computer begins to ask to this IP after the corresponding IP address of www.abc.com domain names is obtained Related content.This is arrived, a full request process of analysis of DNS terminates.
In described above, local domain name server (Local DNS) can refer to be configured in subscriber computer DNS, all dns resolution requests of user are all directly to issue Local DNS, are then handled and are returned by Local DNS Analysis result.It authorizes DNS that can refer to the DNS to certain domain name with authoritative issue capability, is domain name analysis result on internet Original source.For example assume that the mandate DNS of domain name " abc.com " is 1.2.3.4, then can be obtained from 1.2.3.4 The analysis result of the authority of " abc.com " subdomain (such as www.abc.com).
The local dns resolving of Fig. 1 introductions is the resolving of normal DNS, and the request of the iterative resolution of entire DNS is equal It is sent by local dns.The resolving of a large amount of malice DNS is obtained such as to the analysis and research of a large amount of malice DNS by inventor Shown in Fig. 2, Fig. 2 is second of use of the identification device of domain name resolution server danger according to an embodiment of the invention The Organization Chart of environment, local dns are malice DNS in the architecture, certain domain names are kidnapped, flow is:
Step A, the local dns server that subscriber computer is set in its system send asking for parsing www.abc.com It asks;The local dns server is malice DNS, and certain domain names are kidnapped;
After step B, malice DNS receive domain name mapping request, can first check for the www.abc.com domain names of the request is It is no for the domain name to be kidnapped, if so, performing step C;If it is not, perform step D;
Analysis result that step C, malice DNS are tampered to subscriber computer return or forgery, directs the user to Specific website, to realize the purpose of malice;
Dns resolution request for non-abduction object, is sent to other normal DNS by step D;
Step E, normal DNS perform more wheel iterative queries, and the mandate dns address of abc.com is obtained from network;
Step F, normal DNS send request analysis www.abc.com to the mandate DNS of abc.com;
The normal analysis result for authorizing DNS returns www.abc.com of step G, abc.com;
The normal analysis result of www.abc.com is transmitted to the local dns of malice by step H, normal DNS;
The normal analysis result of www.abc.com is issued subscriber computer by step J, the local dns of malice.
The local dns of general malice can be seen that only to a other need by the workflow of the local dns of above malice The object to be kidnapped, return malice kidnap as a result, and normal DNS is transferred on behalf of iterative resolution for most of domain name, to mitigate Pressure itself, and inventor's analysis obtains, and the forwarding DNS of malice DNS selections is usually common dns server.
For the parsing feature of above malice DNS, an embodiment of the present invention provides a kind of domain name resolution server danger Identification device 100, user side can be arranged in, passed through to preset for identifying that the dangerous private domain name of DNS carries out Detection, to realize the identification to name resolution server danger.Fig. 3 is domain name resolution service according to an embodiment of the invention The schematic diagram of the identification device 100 of device danger, the identification device 100 of domain name resolution server danger in general manner can be with Including:Acquisition module 110 and judgment module 120.
In the identification device 100 of the domain name resolution server danger of the embodiment of the present invention, acquisition module 110 is configured to The analysis result that local dns to be identified are obtained to presetting domain name mapping is obtained, the mandate DNS of the default domain name could be provided as The request source address for directly sending out the secondary DNS request is sent back into request as analysis result or included in analysis result Source, so as to which analysis result includes the request source address information asked by the dns resolution for presetting domain authorization DNS additions.
Judgment module 120 is configurable to determine that the dns resolution that DNS is authorized to receive of default domain name please according to analysis result Seeking Truth is no to be directly transmitted by local dns, if it is not, determining local dns, there are malice risks.By above to normal DNS and malice Respectively analyzing for resolving can be seen that by judging that the request source that dns resolution is asked can obtain sentencing for malice DNS DNS Disconnected foundation, thus judgment module 120 DNS can be identified to the dns resolution result comprising DNS request source address information received Danger.
Fig. 4 is the signal of the identification device 100 of domain name resolution server danger in accordance with another embodiment of the present invention Figure, in this embodiment, the identification device of domain name resolution server danger can increase setting statistical module 130, and sentence Disconnected module 120 can be provided with:Address judging submodule 122, Address Recognition submodule 124, life span judging submodule 126。
Address using source is asked is configured to as the situation for parsing address for presetting domain name in the mandates DNS of default domain name Under, address judging submodule 122 is configurable to:Obtain the address of local dns;To in the address and analysis result of local dns Parsing address matched, if the address of local dns and parsing address matching, determine dns resolution request it is direct by local dns It sends.
Address judging submodule 122 carries out matched process to the parsing address in the address and analysis result of local dns It can directly judge to parse address and whether local dns to be identified are consistent, such as compare the address of local dns and parsing address It is whether identical;If identical, the address of local dns and parsing address matching are determined.
In view of there are more IP on same dns server, in order to avoid wrong report, address judging submodule 122 is also Whether the attaching information that can compare the address of local dns and the attaching information for parsing address are identical, and attaching information includes address Attributed region, home-operator;If identical, the address of local dns and parsing address matching are determined.According to the feelings of the country of China Condition, attributed region can be as accurate as province, and operator includes telecommunications, unicom, movement and Tie Tong etc..If two address differences, but It is to belong to same province (or a certain region), then it is considered that the two addresses are matched.It is more tightened up, Ke Yijia On limitation to operator, i.e., if two address differences, but affiliated province (or a certain region) is identical with operation commercial city, that It is considered matched, else if saving in (or a certain region) or operator as long as there is different so just mismatch.
Since the malice DNS forwarding DNS being commonly used are generally public DNS, utilized so if there is dns resolution request The situation of public DNS forwardings needs to improve the malice degree of local dns, and therefore, Address Recognition submodule 124 can identify solution Analyse address whether the address for being public DNS;If so, promote the risk class of local dns.It the address of public DNS can be with preset Database form be stored in user side or be stored in network side for user side inquire.
Life span judging submodule 126 can obtain the lifetime value of analysis result;Judge the existence of analysis result Whether time value is no more than the mandate preset life spans of DNS;If it is not, promote the risk class of local dns.
The life span (Time-To-Live, abbreviation TTL) of DNS represents a domain name mapping record on a dns The time that can be cached.When Local dns servers receive analysis request, parsing will be sent out to domain authorization DNS please It asks to obtain solution new record;After this record is obtained, record can cache a period of time in Local dns servers, If being connected to the analysis request of this domain name in this period again, Local DNS no longer will send out request to mandate DNS, but Directly return to the record obtained just now;And this is recorded in the time for allowing to retain on Local dns servers, is exactly ttl value.
In embodiments of the present invention, TTL can be set as a smaller value, such as 0 by the mandate DNS for presetting domain name To between 60 seconds, if the TTL in the analysis result that life span judging submodule 126 obtains is more than preset value, with regard to explanation The information that DNS is returned is authorized to be tampered, danger coefficient increases.
The identification device 100 of more than domain name resolution server danger can be arranged in the client of user side, in work When making, the analysis request to presetting domain name is initiated, receive the analysis result that default domain authorization DNS is returned and judges the parsing knot Whether the address in the dns resolution request source included in fruit and local dns to be identified are consistent or belong to the same area (institute possession Manage region and operator).Whole process is simple, and without the accumulation of big data quantity, accuracy is high.
When needing to detect a batch DNS to be identified, statistical module 130 can record the parsing address of multiple local dns, raw Into parsing address list;Statistics parsing result address list in each parse address appearance number, and according to number from height to It is low to be ranked up;It is promoted using the risk class of the corresponding local dns in parsing address for sorting forward.Namely to multiple locals DNS carries out above-mentioned identification, then according to whether there is multiple local dns to return to last layer of identical outlet IP to judge these The danger of local dns.
The present invention also provides a kind of recognition methods of domain name resolution server danger, the domain name resolution server is dangerous The recognition methods of property can by the identification device 100 of any domain name resolution server danger introduced in above example It performs, to improve the recognition accuracy of malice DNS, identification process is simply easily achieved.Fig. 5 is according to one embodiment of the invention Domain name resolution server danger recognition methods schematic diagram, the recognition methods packet of domain name resolution server danger It includes:
Step S502 obtains the analysis result that local dns to be identified are obtained to presetting domain name mapping;
Whether step S504, the dns resolution that DNS is authorized to receive for determining default domain name according to analysis result are asked by local DNS is directly transmitted;
Step S506, if it is not, determining local dns, there are malice risks.
The mandate DNS of default domain name can add the request source address information of dns resolution request in analysis result, such as Using the request source address of dns resolution request as the parsing address of default domain name or according to the request source asked dns resolution Address carries out certain logical calculated, and the parsing address and the request source address of dns resolution request for making default domain name correspond, So as to subsequent judgement.
The method that step S504 judges to use is exactly to check the request source IP of dns resolution request that DNS is authorized to receive, false If it is IP4.The address of IP4 and local dns is assumed to be IP1 and is compared, if although the two IP are identical or different It is that ownership place is identical (belonging to some to save and certain operator), then can be confirmed this local dns not to presetting domain name Domain name mapping request is forwarded.If two IP differences, and (any one of affiliated province and operator are or not ownership place difference Together), then exactly forwarded, there is the suspicion of abduction.
For example, DNS is authorized to be configured to the parsing address using the request source address that dns resolution is asked as default domain name;Step The optional method of rapid S504 is to obtain the address of local dns;Address and parsing address to local dns match;It is if local The address of DNS and parsing address matching determine that dns resolution request is directly transmitted by local dns.Wherein, to the address of local dns Matching is carried out with parsing address to include:Whether address and the parsing address for comparing local dns are identical;If identical, local dns are determined Address and parsing address matching.In addition, the address and parsing address to local dns match and can also include:Compare this Whether the attaching information of the address of ground DNS and the attaching information of parsing address are identical, and attaching information includes the attributed region of address And/or home-operator;If identical, the address of local dns and parsing address matching are determined.
If the address of local dns and parsing address mismatch, it can also further identify whether parsing address is public DNS Address;If so, promote the risk class of local dns.And further obtain the lifetime value of analysis result;Judge parsing Whether lifetime value as a result is no more than the mandate preset life spans of DNS;If it is not, promote the risk class of local dns.
It is unmatched in the address of local dns and parsing address, a collection of DNS can also be focused on, The method of the present embodiment can also include:Record the respective parsing address of multiple local dns, generation parsing address list;Statistics The number of address appearance is each parsed in parsing address list, and is ranked up from high to low according to number;It is promoted using sequence The risk class of the forward corresponding local dns in parsing address.
It needs to set default domain name first using the recognition methods of the above domain name resolution server danger of the present embodiment And its DNS is authorized, such as in Fig. 1 and network environment shown in Fig. 2, authorize setting one on DNS special in abc.com Domain name, it is assumed that for check.abc.com, its TTL is set as 0.When DNS is authorized to receive the request to the domain name, first obtain Get the source IP address for directly sending out the secondary request, it is assumed that the address be IP2=58.240.56.14, then using the address as The A records of check.abc.com, which return, to go back.What local dns obtained in this way is exactly that a similar following DNS response records:
Check.abc.com.0IN A 58.240.56.14, this, which records, represents parsing to check.abc.com 58.240.56.14, TTL 0 are recorded to an A.So as to be judged using the analysis result that DNS is authorized to return.
When local dns individual to one (assuming that its address is IP1=58.240.56.14) are identified, Ke Yili The analysis result of local dns request check.abc.com is obtained with the DNS queries means such as nslookup or dig.Below with It is introduced for common dig (domain information searcher) order on linux system.It is dig requests check.abc.com below Analysis result code sample:
The analysis result of the check.abc.com obtained in more than code is IP2=61.190.31.58, with IP1= 58.240.56.14 comparison, two IP are different;Then proceed to inquire ownership place and the operator of the two IP address, IP2's Information of home location is " Chinese Hefei ,Anhui telecommunications ", and the information of home location of IP1 is " Nanjing, Jiangsu, China unicom ", it can be seen that The location of the two IP is different, illustrates that current local dns to be identified forward the analysis request of check.abc.com It has arrived on a server in Nanjing, therefore the DNS may be black DNS, danger coefficient increases.
The TTL returned is continued checking for, it can be found that TTL is changed to 3600 seconds, hence it is evident that more than pre-set 0 second, explanation The information that DNS is returned is authorized to be tampered, danger coefficient increases.
IP2 is continued checking for whether in common public DNS (such as google DNS, 114DNS, DNS group etc.) list, If IP2 is in lists, then it is public to illustrate that this Local DNS has been forwarded to the analysis request to check.abc.com On DNS, danger coefficient increase.
Here is parsing knot of another local dns to be identified (218.247.244.2) to check.abc.com Fruit:
It can be seen that this is 218.247.244.2 to the analysis results of local dns, two IP are the same, and TTL It is 0 to be worth, and illustrates that dns resolution request is not forwarded on other servers, and TTL is not tampered with, therefore the local dns The danger coefficient of (218.247.244.2) is relatively small.
The recognition methods of the domain name resolution server danger of the embodiment of the present invention can also carry out concentration knowledge to a collection of DNS Not, such as a collection of local dns are detected, can be expressed as list:{ dns1, dns2, dns3 ... }.
First with the detection method to single DNS to be identified of above-mentioned introduction one by one using the DNS in list to default Domain name sends out dns resolution request, and obtained return IP the results lists are { ip1, ip2, ip3 ... }, are excluded from the list After the public DNS known, respectively statistics return ipn DNS numbers to be identified obtain corresponding list cnt1, cnt2, Cnt3 ... }, wherein cnti represents that a total of cnti DNS to be identified returns ipi.If the number that some ip is returned compared with It is more, then those danger coefficients for returning to the DNS to be identified of the ip increase.
It can be quickly from a large amount of local dns using the recognition methods of the domain name resolution server danger of the present embodiment The higher DNS of danger coefficient is filtered out, is then aided with other inspection methods and further determines whether it is malice DNS, avoid The problem of needing to obtain legal analysis result in advance in the prior art.So as to know merely in the preset detection of mandate DNS settings Other domain name is such as check, it is possible to carry out the dangerous of DNS by analysis result and identify.
The recognition methods of the domain name resolution server danger of the present invention, using local dns to be identified to default domain name Dns resolution request is initiated, the analysis result that the mandate DNS of the default domain name is returned can reflect the request for sending the analysis request Source address, since malice DNS can generally ask the dns resolution not in the range of it is distorted to be transmitted to other dns resolution services Device is parsed on behalf of forwarding, because by judging to authorize the dns resolution of DNS receptions asks whether to be directly transmitted by local dns Show whether the dns resolution parses, and further determine that the DNS whether there is by other dns resolution server generations for forwarding Malice risk.
Further, the mandate DNS for presetting domain name is configurable to using the request source address that dns resolution is asked as default The parsing address of domain name, so as to after analysis result of the default domain name is obtained, directly judge obtained parsing address whether with The address matching of local dns, it is possible to determine whether local dns complete entire resolving, so as to which obtain local dns is The recognition result of no malice.
Further, the recognition methods of domain name resolution server danger of the invention, is only used for by setting up one The test domain name of the request source address of dns resolution request is detected, obtains the basis for estimation of DNS, is used without accumulating a large amount of data In analysis, identification process is simply easily achieved.
In the specification provided in this place, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice without these specific details.In some instances, well known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of each inventive aspect, Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor Shield the present invention claims the more features of feature than being expressly recited in each claim.More precisely, as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim is in itself Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.It can be the module or list in embodiment Member or component be combined into a module or unit or component and can be divided into addition multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it may be used any Combination is disclosed to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification is (including adjoint power Profit requirement, abstract and attached drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included certain features rather than other feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in detail in the claims, embodiment claimed it is one of arbitrary It mode can use in any combination.
The all parts embodiment of the present invention can be with hardware realization or to be run on one or more processor Software module realize or realized with combination thereof.It will be understood by those of skill in the art that it can use in practice Microprocessor or digital signal processor (DSP) are dangerous to realize domain name resolution server according to embodiments of the present invention The some or all functions of some or all components in identification device.The present invention is also implemented as performing here The some or all equipment or program of device of described method are (for example, computer program and computer program production Product).Such program for realizing the present invention can may be stored on the computer-readable medium or can have one or more The form of signal.Such signal can be downloaded from internet website to be obtained either providing or to appoint on carrier signal What other forms provides.
It should be noted that the present invention will be described rather than limits the invention, and ability for above-described embodiment Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference mark between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any sequence.These words can be explained and run after fame Claim.
So far, although those skilled in the art will appreciate that detailed herein have shown and described multiple showing for the present invention Example property embodiment, still, without departing from the spirit and scope of the present invention, still can according to the present disclosure directly Determine or derive many other variations or modifications consistent with the principles of the invention.Therefore, the scope of the present invention is understood that and recognizes It is set to and covers other all these variations or modifications.
The embodiment of the present invention additionally provides a kind of recognition methods of domain name resolution server danger of A1., including:
Obtain the analysis result that local dns to be identified are obtained to presetting domain name mapping;
Whether the dns resolution that DNS is authorized to receive for determining the default domain name according to the analysis result is asked by described Local dns directly transmit, wherein the analysis result includes being asked by what the dns resolution of the mandate DNS additions was asked Seek source address information;
If it is not, determining the local dns, there are malice risks.
A2. the method according to A1, wherein
The mandate DNS is configured to the parsing using the request source address that the dns resolution is asked as the default domain name Address;
Whether the dns resolution that DNS is authorized to receive for determining the default domain name according to the analysis result is asked by described Local dns directly transmit including:
Obtain the address of the local dns;
Address and the parsing address to the local dns match;
If the address of the local dns and the parsing address matching, determine the dns resolution request by the local DNS is directly transmitted.
A3. the method according to A2, wherein, address and the parsing address to the local dns carry out matching packet It includes:
Whether address and the parsing address for comparing the local dns are identical;
If identical, the address of the local dns and the parsing address matching are determined.
A4. the method according to A2, wherein, address and the parsing address to the local dns carry out matching packet It includes:
Whether attaching information and the attaching information for parsing address for comparing the address of the local dns are identical, described Attaching information includes the attributed region and/or home-operator of address;
If identical, the address of the local dns and the parsing address matching are determined.
A5. the method according to any one of A2 to A4, wherein,
If the address of the local dns and the parsing address mismatch, the method further includes:
Identify it is described parsing address whether the address for being public DNS;
If so, promote the risk class of the local dns.
A6. the method according to any one of A2 to A4, wherein,
If the address of the local dns and the parsing address mismatch, the method further includes:
Obtain the lifetime value of the analysis result;
Judge the lifetime value of the analysis result whether no more than the mandate preset life spans of DNS;
If it is not, promote the risk class of the local dns.
A7. the method according to any one of A2 to A4, wherein,
If the address of the local dns and the parsing address mismatch, the method further includes:
Record the respective parsing address of multiple local dns, generation parsing address list;
Count the number that each parsing address occurs in the parsing address list, and according to the number from height to It is low to be ranked up;
It is promoted using the risk class of the corresponding local dns in parsing address for sorting forward.
In addition, the present invention also provides a kind of identification devices of domain name resolution server danger of B8., including:
Acquisition module is configured to obtain the analysis result that local dns to be identified are obtained to presetting domain name mapping;
Judgment module is configured to determine the dns resolution that DNS is authorized to receive of the default domain name according to the analysis result Whether request is directly transmitted by the local dns, if it is not, the local dns are determined there are malice risk, wherein the parsing knot Fruit includes the request source address information asked by the dns resolution of the mandate DNS additions.
B9. the device according to B8, wherein the judgment module includes:
Address judging submodule, is configured to:Obtain the address of the local dns;Address to the local dns and described Parsing address in analysis result is matched, if the address of the local dns and the parsing address matching, is determined described Dns resolution request is directly transmitted by the local dns, and the mandate DNS of the default domain name is configured to the ground in the request source Parsing address of the location as the default domain name.
B10. the device according to B9, wherein described address judging submodule are additionally configured to:
Whether address and the parsing address for comparing the local dns are identical;
If identical, the address of the local dns and the parsing address matching are determined.
B11. the device according to B9, wherein described address judging submodule are additionally configured to:
Whether attaching information and the attaching information for parsing address for comparing the address of the local dns are identical, described Attaching information includes the attributed region and/or home-operator of address;
If identical, the address of the local dns and the parsing address matching are determined.
B12. the device according to any one of B9 to B11, wherein the judgment module further includes:
Address Recognition submodule, is configured to:Identify it is described parsing address whether the address for being public DNS;If so, promote institute State the risk class of local dns.
B13. the device according to any one of B9 to B11, wherein the judgment module further includes:
Life span judging submodule, is configured to:Obtain the lifetime value of the analysis result;Judge the parsing knot Whether the lifetime value of fruit is no more than the mandate preset life spans of DNS;If it is not, promote the risk of the local dns Grade.
B14. the device according to any one of B9 to B11, further includes:
Statistical module is configured to:Record the parsing address of multiple local dns, generation parsing address list;System The number that each parsing address occurs in the analysis result address list is counted, and is carried out from high to low according to the number Sequence;It is promoted using the risk class of the corresponding local dns in parsing address for sorting forward.

Claims (14)

1. a kind of recognition methods of domain name resolution server danger, applied to user side, including:
Obtain the analysis result that local dns to be identified are obtained to presetting domain name mapping;
Whether the dns resolution that DNS is authorized to receive for determining the default domain name according to the analysis result is asked by the local DNS is directly transmitted, wherein the analysis result includes the request source asked by the dns resolution of the mandate DNS additions Address information, wherein the mandate DNS is configured to using the request source address that the dns resolution is asked as the default domain name Parse address;
If it is not, determining the local dns, there are malice risks.
2. according to the method described in claim 1, wherein
Whether the dns resolution that DNS is authorized to receive for determining the default domain name according to the analysis result is asked by the local DNS directly transmit including:
Obtain the address of the local dns;
Address and the parsing address to the local dns match;
If the address of the local dns and the parsing address matching, determine that the dns resolution request is straight by the local dns It receives and sends.
3. according to the method described in claim 2, wherein, address and the parsing address to the local dns match Including:
Whether address and the parsing address for comparing the local dns are identical;
If identical, the address of the local dns and the parsing address matching are determined.
4. according to the method described in claim 2, wherein, address and the parsing address to the local dns match Including:
Whether attaching information and the attaching information for parsing address for comparing the address of the local dns are identical, the ownership Information includes the attributed region and/or home-operator of address;
If identical, the address of the local dns and the parsing address matching are determined.
5. method according to any one of claim 2 to 4, wherein,
If the address of the local dns and the parsing address mismatch, the method further includes:
Identify it is described parsing address whether the address for being public DNS;
If so, promote the risk class of the local dns.
6. method according to any one of claim 2 to 4, wherein,
If the address of the local dns and the parsing address mismatch, the method further includes:
Obtain the lifetime value of the analysis result;
Judge the lifetime value of the analysis result whether no more than the mandate preset life spans of DNS;
If it is not, promote the risk class of the local dns.
7. method according to any one of claim 2 to 4, wherein,
If the address of the local dns and the parsing address mismatch, the method further includes:
Record the respective parsing address of multiple local dns, generation parsing address list;
Count the number that each parsing address occurs in the parsing address list, and according to the number from high to low into Row sequence;
It is promoted using the risk class of the corresponding local dns in parsing address for sorting forward.
8. a kind of identification device of domain name resolution server danger, applied to user side, including:
Acquisition module is configured to obtain the analysis result that local dns to be identified are obtained to presetting domain name mapping;
Judgment module is configured to determine that the dns resolution that DNS is authorized to receive of the default domain name is asked according to the analysis result Whether directly transmitted by the local dns, the mandate DNS be configured to using the request source address that the dns resolution is asked as The parsing address of the default domain name, if it is not, the local dns are determined there are malice risk, wherein being wrapped in the analysis result Include the request source address information asked by the dns resolution of the mandate DNS additions.
9. device according to claim 8, wherein the judgment module includes:
Address judging submodule, is configured to:Obtain the address of the local dns;Address and the parsing to the local dns As a result the parsing address in is matched, if the address of the local dns and the parsing address matching, determines the DNS solutions Analysis request is directly transmitted by the local dns, the mandate DNS of the default domain name be configured to using the address in the request source as The parsing address of the default domain name.
10. device according to claim 9, wherein described address judging submodule is additionally configured to:
Whether address and the parsing address for comparing the local dns are identical;
If identical, the address of the local dns and the parsing address matching are determined.
11. device according to claim 9, wherein described address judging submodule is additionally configured to:
Whether attaching information and the attaching information for parsing address for comparing the address of the local dns are identical, the ownership Information includes the attributed region and/or home-operator of address;
If identical, the address of the local dns and the parsing address matching are determined.
12. the device according to any one of claim 9 to 11, wherein the judgment module further includes:
Address Recognition submodule, is configured to:Identify it is described parsing address whether the address for being public DNS;If so, promote described The risk class of ground DNS.
13. the device according to any one of claim 9 to 11, wherein the judgment module further includes:
Life span judging submodule, is configured to:Obtain the lifetime value of the analysis result;Judge the analysis result Whether lifetime value is no more than the mandate preset life spans of DNS;If it is not, promote the risk class of the local dns.
14. the device according to any one of claim 9 to 11, further includes:
Statistical module is configured to:Record the parsing address of multiple local dns, generation parsing address list;Statistics institute The number that each parsing address occurs in analysis result address list is stated, and is arranged from high to low according to the number Sequence;It is promoted using the risk class of the corresponding local dns in parsing address for sorting forward.
CN201410735253.3A 2014-12-04 2014-12-04 The recognition methods of domain name resolution server danger and device Active CN104468860B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410735253.3A CN104468860B (en) 2014-12-04 2014-12-04 The recognition methods of domain name resolution server danger and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410735253.3A CN104468860B (en) 2014-12-04 2014-12-04 The recognition methods of domain name resolution server danger and device

Publications (2)

Publication Number Publication Date
CN104468860A CN104468860A (en) 2015-03-25
CN104468860B true CN104468860B (en) 2018-06-26

Family

ID=52914207

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410735253.3A Active CN104468860B (en) 2014-12-04 2014-12-04 The recognition methods of domain name resolution server danger and device

Country Status (1)

Country Link
CN (1) CN104468860B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105025025B (en) * 2015-07-22 2019-09-27 国家计算机网络与信息安全管理中心 A kind of domain name active detecting method and system based on cloud platform
CN108076165B (en) * 2016-11-18 2021-05-18 贵州白山云科技股份有限公司 Method, equipment and system for domain name resolution information management
CN106790077B (en) * 2016-12-21 2020-05-26 北京奇虎科技有限公司 Method and device for detecting DNS full-flow hijacking risk
CN107040546B (en) * 2017-05-26 2020-03-03 浙江鹏信信息科技股份有限公司 Domain name hijacking detection and linkage handling method and system
CN108702397B (en) * 2017-08-08 2021-07-06 达闼机器人有限公司 Method and system for acquiring and collecting local DNS (Domain name Server) server of client
CN109698764B (en) * 2017-10-24 2020-09-29 贵州白山云科技股份有限公司 Domain name resolution system configuration updating method and device
CN107707569A (en) * 2017-11-10 2018-02-16 北京知道创宇信息技术有限公司 DNS request processing method and DNS systems
CN110865818B (en) * 2018-08-28 2023-07-28 阿里巴巴(中国)有限公司 Detection method and device for application associated domain name and electronic equipment
CN111245772B (en) * 2018-11-28 2022-11-01 阿里巴巴集团控股有限公司 CNAME processing method and device and electronic equipment
CN110493224B (en) * 2019-08-20 2022-01-07 杭州安恒信息技术股份有限公司 Sub-domain name hijacking vulnerability detection method, device and equipment
CN113347139B (en) * 2020-03-02 2022-11-22 深信服科技股份有限公司 Method, device, system and medium for identifying safety information
CN113872978B (en) * 2021-09-29 2024-03-15 绿盟科技集团股份有限公司 DNS hijacking monitoring method and device and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101834911A (en) * 2010-03-31 2010-09-15 联想网御科技(北京)有限公司 Defense method of domain name hijacking and network outlet equipment
CN103561120A (en) * 2013-10-08 2014-02-05 北京奇虎科技有限公司 Method and device for detecting suspicious DNS and method and system for processing suspicious DNS
CN104052755A (en) * 2014-06-26 2014-09-17 国家计算机网络与信息安全管理中心 DNS spoofing attack detecting and positioning system and method based on cloud platform

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9106700B2 (en) * 2012-09-06 2015-08-11 Amazon Technologies, Inc. Risk aware domain name service

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101834911A (en) * 2010-03-31 2010-09-15 联想网御科技(北京)有限公司 Defense method of domain name hijacking and network outlet equipment
CN103561120A (en) * 2013-10-08 2014-02-05 北京奇虎科技有限公司 Method and device for detecting suspicious DNS and method and system for processing suspicious DNS
CN104052755A (en) * 2014-06-26 2014-09-17 国家计算机网络与信息安全管理中心 DNS spoofing attack detecting and positioning system and method based on cloud platform

Also Published As

Publication number Publication date
CN104468860A (en) 2015-03-25

Similar Documents

Publication Publication Date Title
CN104468860B (en) The recognition methods of domain name resolution server danger and device
US10594728B2 (en) Detection of domain name system hijacking
CN103957195B (en) DNS systems and the defence method and defence installation of DNS attacks
CN103561120B (en) Detect method, the processing method of device and suspicious DNS, the system of suspicious DNS
CN105610867B (en) A kind of anti-abduction method and apparatus of DNS
Korczynski et al. Cybercrime after the sunrise: A statistical analysis of DNS abuse in new gTLDs
US9053320B2 (en) Method of and apparatus for identifying requestors of machine-generated requests to resolve a textual identifier
CN106068639A (en) The Transparent Proxy certification processed by DNS
US20120203904A1 (en) Controlling Internet Access Using DNS Root Server Reputation
RU2722693C1 (en) Method and system for detecting the infrastructure of a malicious software or a cybercriminal
US8504673B2 (en) Traffic like NXDomains
US20200065335A1 (en) Similar email spam detection
CN107342913B (en) Detection method and device for CDN node
CN112887341B (en) External threat monitoring method
Tajalizadehkhoob et al. Apples, oranges and hosting providers: Heterogeneity and security in the hosting market
EP2606434A1 (en) A method of and apparatus for identifying machine-generated textual identifiers
CN106302862A (en) The collection method of a kind of DNS recursion server and system
US20130054782A1 (en) Determination of unauthorized content sources
CN102055815A (en) System for acquiring local domain name analyses server of caller
CN109729058B (en) Traffic hijacking analysis method and device
CN107040546B (en) Domain name hijacking detection and linkage handling method and system
CN106209907A (en) A kind of method and device detecting malicious attack
CN104579819A (en) Network security detection method and device
CN105515882B (en) Website security detection method and device
US20170104715A1 (en) Reconciling internet dns zone file changes with origin change requests

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210512

Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee after: Beijing Hongteng Intelligent Technology Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.

CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd.

Address before: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee before: Beijing Hongteng Intelligent Technology Co.,Ltd.